diff options
| author | Gert Doering <gert@greenie.muc.de> | 2013-05-05 14:36:13 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2013-05-27 13:46:59 +0200 |
| commit | a8be73799be163909a3b212656dedf03494f0792 (patch) | |
| tree | 079046ca6c087e66a8286709f1bb7a27a9b5b625 /src/openvpn/multi.h | |
| parent | 598e03f0e7bce434e501a9895819f2af0714d5f6 (diff) | |
| download | openvpn-a8be73799be163909a3b212656dedf03494f0792.tar.gz openvpn-a8be73799be163909a3b212656dedf03494f0792.tar.xz openvpn-a8be73799be163909a3b212656dedf03494f0792.zip | |
Make push-peer-info visible in "normal" per-instance environment.
Without this patch, peer-info pushed by clients in the TLS handshake
is only visible on the management interface, and only if
--management-client-auth is enabled.
With this patch, received records are sanitized and put into the normal
"multi instance" environment, where it can be evaluated by --client-connect
or --auth-user-pass-verify scripts and plugins, etc. Only records matching
a fairly strict "name=value" format are accepted, and only names starting
with IV_ or UV_ are exported, to avoid clients sending funny stuff and
playing havoc with script/plugin environments on the server. In the
"value" part, spaces, non-printable characters and shell metacharacters
are replaced by '_'.
The change is somewhat invasive as reception of the peer_info string was
only done when username+password are expected from the client, but the
data is always there (if the client sends no username/password, it will
send 0-length strings, so always extracting 3 strings is safe). Also,
the sanitation function validate_peer_info_line() and the opts->peer_info
field were only compiled in #ifdef MANGEMENT_DEF_AUTH...
Patch v3: do not call the old man_output_peer_info_env() anymore, unless
a management env-filter has been set (= ensure IV_ and UV_ stuff is sent
at most *once*, and exactly the way OpenVPN AS expects it). Add
substituting of "bad" characters in the environment values.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1367757373-31637-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7582
Diffstat (limited to 'src/openvpn/multi.h')
| -rw-r--r-- | src/openvpn/multi.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index fc2ffb2..7b97b0d 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -312,6 +312,9 @@ void multi_close_instance_on_signal (struct multi_context *m, struct multi_insta void init_management_callback_multi (struct multi_context *m); void uninit_management_callback_multi (struct multi_context *m); +bool validate_peer_info_line(char *line); +void multi_output_peer_info_env (struct env_set *es, const char * peer_info); + /* * Return true if our output queue is not full */ |